Source URL: https://www.theregister.com/2025/02/19/decadeold_healthcare_security_snafu_settled/
Source: The Register
Title: Healthcare outfit that served military personnel settles allegations it faked infosec compliance for $11 million
Feedly Summary: If this makes you feel sick, knowing this happened before ransomware actors started targeting medical info may help
An alleged security SNAFU that occurred during the Obama administration has finally been settled under the second Trump administration.…
AI Summary and Description: Yes
Summary: The text discusses a settlement involving Health Net Federal Services (HNFS) and Centene Corporation regarding false claims of compliance with information security standards in a Department of Defense contract. The settlement underlines the importance of adhering to cybersecurity and privacy requirements, especially when handling sensitive healthcare data for military personnel and their families.
Detailed Description: The content highlights a significant legal and compliance issue in the realm of information security, particularly how organizations manage and report their compliance with cybersecurity requirements. Here are the key insights:
– **Settlement Details**: Centene Corporation and its subsidiary HNFS agreed to pay over $11 million for allegedly false certifications of compliance with information security obligations under a government contract with the Defense Health Agency (DHA).
– **Compliance Failure**: The claims state that between 2015 and 2018, HNFS failed to meet various cybersecurity standards:
– Ignored reports from third-party security auditors.
– Disregarded its internal audit findings related to critical security areas such as:
– Asset management
– Access controls
– Configuration settings
– Patch management
– Vulnerability scanning
– Password policies
– **Impact on Sensitive Data**: Although no breach or loss of protected data was recorded, the potential risk to millions of sensitive healthcare records raises alarm bells for compliance and security professionals. Such data is highly sought after by ransomware groups and cybercriminals.
– **Regulatory and Legal Implications**: The case emphasizes the vital need for organizations, particularly those handling sensitive data, to follow through with rigorous cybersecurity practices and compliance measures to avoid legal penalties and protect crucial information.
– **Agency Statements**: The Acting US Attorney emphasized the importance of safeguarding information related to military personnel and families, showcasing how lapses in cybersecurity obligations have broader implications not just for the organization but for national security and trust in public services.
These points illustrate the ongoing challenges in ensuring compliance with information security and highlight the legal repercussions organizations may face when failing to uphold necessary cybersecurity protocols. Understanding these issues is critical for professionals involved in information security, compliance, and risk management.